Authentik@* Security Vulnerabilities and Issues — Authentik@* CVE List

Lucene search

GoauthentikAuthentik*

10 matches found

CVE•added 2024/01/30 5:15 p.m.•188 views

CVE-2024-23647

Authentik is an open-source Identity Provider. There is a bug in our implementation of PKCE that allows an attacker to circumvent the protection that PKCE offers. PKCE adds the code_challenge parameter to the authorization request and adds the code_verifier parameter to the token request. Prior to ...

8.8CVSS8.8AI score0.00055EPSS

CVE•added 2024/08/22 4:15 p.m.•89 views

CVE-2024-42490

authentik is an open-source Identity Provider. Several API endpoints can be accessed by users without correct authentication/authorization. The main API endpoints affected by this are /api/v3/crypto/certificatekeypairs//view_certificate/, /api/v3/crypto/certificatekeypairs//view_private_key/, and /...

7.5CVSS7.6AI score0.00207EPSS

CVE•added 2024/06/28 6:15 p.m.•83 views

CVE-2024-37905

authentik is an open-source Identity Provider that emphasizes flexibility and versatility. Authentik API-Access-Token mechanism can be exploited to gain admin user privileges. A successful exploit of the issue will result in a user gaining full admin access to the Authentik application, including r...

8.8CVSS8.9AI score0.0038EPSS

CVE•added 2024/06/28 6:15 p.m.•80 views

CVE-2024-38371

authentik is an open-source Identity Provider. Access restrictions assigned to an application were not checked when using the OAuth2 Device code flow. This could potentially allow users without the correct authorization to get OAuth tokens for an application and access it. This issue has been patch...

8.6CVSS8.7AI score0.0024EPSS

CVE•added 2024/11/21 6:15 p.m.•80 views

CVE-2024-52287

authentik is an open-source identity provider. When using the client_credentials or device_code OAuth grants, it was possible for an attacker to get a token from authentik with scopes that haven't been configured in authentik. authentik 2024.8.5 and 2024.10.3 fix this issue.

6.4CVSS6.5AI score0.00097EPSS

CVE•added 2024/09/27 4:15 p.m.•56 views

CVE-2024-47070

authentik is an open-source identity provider. A vulnerability that exists in versions prior to 2024.8.3 and 2024.6.5 allows bypassing password login by adding X-Forwarded-For header with an unparsable IP address, e.g. a. This results in a possibility of logging into any account with a known login ...

9CVSS9.2AI score0.00176EPSS

CVE•added 2024/11/21 6:15 p.m.•50 views

CVE-2024-52289

authentik is an open-source identity provider. Redirect URIs in the OAuth2 provider in authentik are checked by RegEx comparison.When no Redirect URIs are configured in a provider, authentik will automatically use the first redirect_uri value received as an allowed redirect URI, without escaping ch...

7.9CVSS6.5AI score0.00112EPSS

CVE•added 2024/09/27 4:15 p.m.•46 views

CVE-2024-47077

authentik is an open-source identity provider. Prior to versions 2024.8.3 and 2024.6.5, access tokens issued to one application can be stolen by that application and used to impersonate the user against any other proxy provider. Also, a user can steal an access token they were legitimately issued f...

6.5CVSS6.3AI score0.00132EPSS

CVE•added 2024/11/21 6:15 p.m.•36 views

CVE-2024-52307

authentik is an open-source identity provider. Due to the usage of a non-constant time comparison for the /-/metrics/ endpoint it was possible to brute-force the SECRET_KEY, which is used to authenticate the endpoint. The /-/metrics/ endpoint returns Prometheus metrics and is not intended to be acc...

6.3CVSS6.6AI score0.00132EPSS

CVE•added 2024/01/11 6:15 a.m.•32 views

CVE-2024-21637

Authentik is an open-source Identity Provider. Authentik is a vulnerable to a reflected Cross-Site Scripting vulnerability via JavaScript-URIs in OpenID Connect flows with response_mode=form_post. This relatively user could use the described attacks to perform a privilege escalation. This vulnerabi...

7.6CVSS5.3AI score0.00126EPSS